Amazon Linux 2023 Security Advisory: ALAS2023-2025-1180
Advisory Released Date: 2025-09-15
Advisory Updated Date: 2025-09-15
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences. (CVE-2025-58160)
Affected Packages:
rust-cargo-c
Issue Correction:
Run dnf update rust-cargo-c --releasever 2023.8.20250915 or dnf update --advisory ALAS2023-2025-1180 --releasever 2023.8.20250915 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
cargo-c-debuginfo-0.9.32-3.amzn2023.0.4.aarch64
cargo-c-0.9.32-3.amzn2023.0.4.aarch64
rust-cargo-c-debugsource-0.9.32-3.amzn2023.0.4.aarch64
src:
rust-cargo-c-0.9.32-3.amzn2023.0.4.src
x86_64:
cargo-c-debuginfo-0.9.32-3.amzn2023.0.4.x86_64
cargo-c-0.9.32-3.amzn2023.0.4.x86_64
rust-cargo-c-debugsource-0.9.32-3.amzn2023.0.4.x86_64